password regex

[Destramic]

hey guys im trying to make a regual expresion for a password with the conditions that it must contain 2 of each character: upper case letter, lower case letter, number or symbol...i have the regular exprssion below individually but how do i put it into one expression please?

 

possible matches:

des$tramic

destram1c

Destramic

^
(?=.*[A-Z].*[!@#$&*])  // upper case  letter with symbol
(?=.*[A-Z].*[a-z]) // upper case letter with lower case letter
(?=.*[A-Z].*[0-9]) // upper case letter with number
(?=.*[!@#$&*].*[0-9]) // symbol with number
(?=.*[a-z].*[!@#$&*]) lower case character with symbol
(?=.*[a-z].*[0-9]) // lower case character with number
$

thank you

[requinix]

1. It's already in one expression.

2. Those don't match with what you said you wanted to do.

 

Here are some reasonable passwords your current regex(es) won't allow me to use, driving me away from your site:

- de$traM1c

- de$TR4M!C

- de$7rAm!c

- d3sTr4M!c

- DE$tr4m1c

- DE$7ram!c

 

Not to mention that the three examples you gave don't even match...

[Jacques1]

And why do you need a single regex? This massively reduces readibility and robustness (as you can see), so it shouldn't be done at all. Are you struggling with some crappy validator?

 

This kind of password policy is also extremely naive, annoying and counter-productive. Yes, we'd all love to have people come up with and memorize hundreds of super-long, cryptic passwords. But in reality, this isn't gonna happen:

• The users who don't care about password security will hardly change their mind if you annoy them with error messages. They'll simply add some symbols to their weak password to make your validator happy, which isn't very helpful.
• The users who do care about security often use a password manager or passphrases. That's when your policy actually gets in their way. For example, I always use 32 hexadecimal digits to represent 128 randomly generated bits. This is a perfect password, yet you won't let me use it. I'd have to manually choose a different one only to get past the stupid validation. That's obviously a problem.

So what's the whole point? I think the whole approach is just nonsense.

 

There are much smarter ways to promote strong passwords:

• Tell your users about password managers like KeePass. This is really the only realistic solution for managing dozens of different user accounts.
• Maybe add a password meter as an indicator for the user. This motivates them to choose a strong password instead of punishing them for what you think is a bad password. Since you cannot reliably estimate the strength of the password, it's also important that the check can be bypassed.

[Destramic]

• Tell your users about password managers like KeePass. This is really the only realistic solution for managing dozens of different user accounts.
• Maybe add a password meter as an indicator for the user. This motivates them to choose a strong password instead of punishing them for what you think is a bad password. Since you cannot reliably estimate the strength of the password, it's also important that the check can be bypassed.

 

i agree with what your saying...although you see all major websites ask users to have certain criteria in thier passwords...but what i was trying to achieve is:

 

 

- de$traM1c

- de$TR4M!C

- de$7rAm!c

- d3sTr4M!c

- DE$tr4m1c

- DE$7ram!c

 

as all these password contain 2 of the wanted criteria (that was the regual expression i was looking for)...as long as the password is encrypted correctly it should secure, but...allowing a user to choose a simple password such as "mypassword" or something of that nature only reduces security.

[requinix]

as all these password contain 2 of the wanted criteria

Correct. But I wasn't talking about that. I was only commenting on the regex you had and how it's not very good.

 

(that was the regual expression i was looking for)

But then you went on to show a regex that does not do what you said.

 

...as long as the password is encrypted correctly it should secure

*Hashed. But no, that's not necessarily the case.

 

but...allowing a user to choose a simple password such as "mypassword" or something of that nature only reduces security.

Right... Edited November 12, 2014 by requinix

[Jacques1]

Destramic, we all agree that good passwords are very important. The question is how you get there.

 

Sure, a password policy is an obvious and simple approach, which is why it's so popular. But popular doesn't mean good.

 

Do you really believe you can force a user to choose a good password? Do you think a user who at first doesn't give a shit about security suddenly changes their mind and comes up with some really good password? I don't think so. They'll use something like “AAbb11!!” which is just enough to make your validator happy but obviously not secure. At the same time, you get in the way of people who do care about security but simply use a different password scheme (like myself).

 

Long story short, this is nonsense. It may sound good in theory, but it simply doesn't pass the reality check. If you actually care about password security, help your users with practical advice. Give them a link to a good password manager like KeePass, point them to the famous “correct horse battery staple” comic to explain the concept of passphrases. This is something which actually works in reality.

[Destramic]

ok well thank you both for your views and your time  ...for now i'll just scrap a password validation and allow the user to choose, possibly giving advise.

 

thank you again guys